Microsoft’s System Center Configuration Manager (SCCM) is a paid lifecycle management solution from Microsoft that keeps track of a network’s inventory, assists in application installation, and deploys updates and security patches across a network. While SCCM uses Microsoft’s WSUS patching system to check for and install updates, it gives users additional control over when and how patches are applied, and includes many more features which make it an attractive option for large enterprise networks. However, SCCM presents several challenges for networks looking for one solution to patch all devices, operating systems, and third party applications, so it is important to evaluate the pros and cons of patching with SCCM.
Pros of SCCM
Part of a Full Lifecycle Management System for Windows: SCCM includes a wide range of functions that provide flexibility over how patches are applied, generate system-wide reports, and allow for control over any Windows machine in the network from one central console. SCCM provides a suite of endpoint protection tools and with the correct configuration can be a full lifecycle management system for IT departments with a high percentage of Windows systems.
Integrates Seamlessly with Windows Systems: Being a Microsoft product, SCCM integrates very well with Windows systems and other Microsoft products. In recent years, SCCM has tried to adapt to the trend of employee-provided devices connecting to company networks, and now supports “Bring Your Own Device,” meaning that devices added to a network by individual employees can be controlled via SCCM and flagged if they are not updated.
Control via GUI and Support via Microsoft: SCCM is controlled via a relatively simple GUI, which means it is easier to learn and implement than self-deployed tools such as Chef and Puppet. Because SCCM is an established and paid Microsoft service, it also has good support via community channels and Microsoft itself.
Cons of SCCM
High Costs to Acquire and Run: SCCM is usually sold as part of a larger suite of tools from Microsoft, and is prohibitively expensive for non-enterprise companies. Pricing for SCCM is opaque and can include separate costs for endpoints and servers. SCCM is also an on-premise solution which requires an SQL server to run, resulting in high ongoing operating costs and resource requirements to maintain.
Built for Windows-Dominated Systems: SCCM is built first and foremost for Windows systems and therefore its functionality and updates are focused around Windows. Non-Windows systems including Mac and Linux can be managed through SCCM as end-clients, however the process is kludge as SCCM still requires a Windows server to run and the functionality for non-Windows systems is reduced. For mixed-OS environments, manual elements of patching remain even with SCCM installed, a major downside for companies that are already paying a large sum for SCCM.
Limited Ability to Patch 3rd Party Applications: While SCCM adds more support for 3rd party applications than WSUS, the ability for SCCM to patch 3rd party applications is very limited and the source of much frustration among IT Managers. On Microsoft’s SCCM feedback page, improvements to 3rd party patching are the top request. Which is no surprise, considering that 3rd party software accounts for up to 76% of vulnerabilities on the average PC1, the difficulty of configuring SCCM to patch 3rd party applications automatically can put your infrastructure at risk.
Alternatives to SCCM
SCCM is a viable solution only for enterprises that can both afford it and have a Windows only infrastructure. However, with mixed operating systems becoming the norm, SCCM is less valuable in terms of patching capabilities and efficiency.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-based patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.